Open-AudIT :: View topic - New audit windows script

Open-AudIT https://www.open-audit.org/phpBB3/

New audit windows script https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5728	Page 1 of 1

Author:	Mark [ Thu Jun 09, 2011 9:45 am ]
Post subject:	New audit windows script
I have uploaded a new "audit_windows.vbs" to the beta 1.1 download page. Changes include. org_id able to be set on the command line. If you set this, when the system is submitted, it should automagically set the "man_org_id" on the system. NOTE - It will need a new copy of the file m_system.php which I haven't yet uploaded. Further monitor manufacturer identification. I try to account for the returned manufacturer being not relevant (ie - "standard monitor types), by checking this and then checking the model. If a certain model is discovered, we can correctly set the manufacturer. NOTE - if you are seeing returned results with "standard monitor type" set, but the correct model number, please send me the model number and the manufacturer. I can then (manually) account for these in the audit script. Mount Points are disabled by default. You can enable them by adding skip_mount_point=n on the command line (or changing the default value at the start of the script). NOTE - this also applies to Printers. Hopefully that will sort out the remaining issue's. I'll create Beta 1.2 soon (with incorporated OrgID stuff and more).

Author:	JayDee [ Thu Jun 09, 2011 11:34 pm ]
Post subject:	Re: New audit windows script
Mark, Ran the new audit_windows.vbs on my Win7 Pro test machine and the "skip_mount_point=y" setting. Ran fine, only shows C: drive but this is an old re-installed machine so I wasn't expecting much. The C: drive did show an interesting serial number though: MAXTOR 6L040J2 ATA Device Size: 38,177 MiB Interface: IDE Model: MAXTOR 6L040J2 ATA Device Serial: 3636323230303432363937392020202020202020 which looks more hex than anything else And on the monitor front it was recognized but displayed as: Manufacturer: @oem7.inf,%acer%;Acer Incorporated Model: Acer S202HL Manufacturer Date: 12/2010 Description: Serial: LR4080114210 (with those "%" signs in the Manufacturer line). The icon at the right also didn't display (not surprisingly) but didn't default to a generic one <img width="100" title="" alt="" src="http://SERVERNAME/OAv2/device_images/acer_s202hl.jpg" style="border: 1px solid rgb(219, 217, 197);"> John

Author:	gareth [ Fri Jun 10, 2011 5:58 pm ]
Post subject:	Re: New audit windows script
Mark, One minor issue I've come across is that when auditing a Windows 7 machine the "Last Logged on User" is the last local user to log on rather than the last domain user. Script works fine for Windows XP & Vista. Now I've got my machines auditing I have to say OAv2 is looking very promising Cheers, Gareth

Author:	jpa [ Fri Jun 17, 2011 5:24 am ]
Post subject:	Re: New audit windows script
[quote="gareth"]One minor issue I've come across is that when auditing a Windows 7 machine the "Last Logged on User" is the last local user to log on rather than the last domain user. I'm not seeing this. However, while looking at the audit_windows.vbs code for last logged on user I see this code which is wrong but still works. [code] oreg.getstringvalue hkey_local_machine, "software\microsoft\windows\currentversion\authentication\logonui", "lastloggedonuser", windows_user_name if isnull(windows_user_name) then oreg.getstringvalue hkey_local_machine, "software\microsoft\windows\currentversion\authentication\logonui", "lastloggedonsamuser", windows_user_name if isnull(windows_user_name) then windows_user_name = "" end if else if len(net_domain) > 0 then lcase(windows_user_name = windows_user_name & windows_user_domain) end if end if[/code] If lastloggedonuser is retrieved into windows_user_name successfully we branch to the else statement where we test the len of net_domain. I can't see that net_domain is defined or filled anywhere. Right now this works for me because windows_user_name gets filled with DOMAIN\User and the len(net_domain) test fails so we don't tack on windows_user_domain to the username which already includes it.

Page 1 of 1	All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/